[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Lee ler762 at gmail.com
Tue Aug 17 23:44:25 UTC 2021


On 8/17/21, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> On Tue, Aug 17, 2021 at 01:32:35PM -0400, Viktor Dukhovni wrote:
>>I am far from convinced that it is the resolvers job to enforce RDATA
>>syntax restrictions beyond what is required for a valid wire form.
>
> I completely agree.  Indeed, the history of middleboxes attempting to
> enforce various kinds of restrictions is precisely what has made them
> such a PITA when new features were introduced to the DNS that the
> middleboxes didn't know about.

On the one hand, yes, firewalls do get in the way.
On the other hand, yes, firewalls do get in the way because a firewall
allows you to have a single place to enforce your security policy.

I have a firewall at home, so it's clear where I stand on the matter :)

Regards,
Lee



More information about the dns-operations mailing list